|
|
|
|
5.
|
Strong Passwords: Passwords must be strong. They must be at least 10 characters with numbers, letters, and symbols.
However, we go much further than that. When you enter a password we do what is known as add salt to it. Salting a password
means adding additional characters to your password before it is SHA512 hashed. Again we go even further than this. We salt
each password by adding random characters of random length in a randon position before SHA512 hashing a password. By salting
a password before hashing it means it would take trillions of years to find the reverse hash using even the best technology
currently available. However, in the nearly impossible event that one password is reverse hashed, what they learned cracking
one password will not work on any other password and the hacker would have to start from scratch on every other password!
|
|
|
|
|
6.
|
5 Minute Lockout: After 5 failed login attempts the account is locked for 5 minutes
preventing brute force attacks.
|
|
|
|
|
7.
|
SHA512 Password Hashing: User passwords are NOT stored in the database. Only a SHA512 hash of the
password is stored. To make it even more secure, before hashing the password a random salt of random
length is added to the password in a random position before performing the SHA512 hash. Also the salt is
not stored anywhere. This also means that if a user forgets their password they can only request a link
to reset their password. Once a password reset is sent to their email they must click the link in the
email which contains a unique key in the url. The site verifies the key is the same one sent to the user.
Once the key is verified they must also answer one of the security questions they provided an answer for
when they created their account. Only then can they reset their password.
|
|
|
|